1. Field of the Description
This description is generally directed toward systems and methods for managing communications between numerous contracting entities (including, but not limited to, banks and other financial institutions or “consumers” of information) and service and/or product providers (“providers” of information), and, more particularly, systems and methods for providing a centralized third party data hub that may store third party data (or third party risk management information) such as answers to a third party/vendor questionnaire that may be used in a risk management process, e.g., as part of third-party oversight (“TPO”) and such as external audit documentation. For purposes herein, third-party relationships include activities that involve outsourcing products and services and that involve use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records.
2. Relevant Background
There are numerous situations in commerce and other settings where large sets of data and information need to be collected from a set of entities or third parties and processed by another entity. For example, it is common for businesses and other entities that are working with numerous third-party service or product providers (sometimes referred to as “providers” or “third party data providers” herein) to gather sets of data for their respective applicable products and services via questionnaires and process the data as part of a bid, planning, and/or due diligence process prior to contracting with the third party. As a result, each business entity may receive numerous (i.e., tens to hundreds to thousands of) completed questionnaires, and, conversely, each third party may have to complete a new questionnaire for every entity they wish to provide their services and/or products. The questionnaires are typically digitally completed via spreadsheets or other forms and submitted online or over a network (e.g., the Internet or other digital communications network), and the tasks of requesting, providing, and processing this data is time-consuming, repetitive, and inefficient for both the data consumer and data provider.
To better explain the issues addressed by the systems and methods described herein, it may be useful to discuss a particular environment or application in which large amounts of data need to be collected from third parties and processed by contracting entities (or other data consumers). Banks and other financial institutions (collectively labeled “banks” and banks and other entities using and accessing third party data are as a group labeled “data consumers”) are required by government institutions to perform third party risk management in a particular manner based on numerous laws and regulations. A bank is responsible for assessing and managing risks associated with third-party relationships as a bank's use of a third party does not diminish their responsibility to ensure an activity is performed in a safe and sound manner and in compliance with applicable laws. The need for an effective risk management process and/or TPO has grown as banks continue to increase the number and complexity of relationships with both foreign and domestic third parties including outsourcing bank functions such as tax, legal, audit, or information technology (IT) operations, relying on third parties to engage directly with customers, and working with third parties to address deficiencies in bank operations or to provide compliance with laws or regulations.
It is generally expected by governments that a bank will have risk management processes that are commensurate with the level of risk and complexity of its third party relationships and the bank's organizational structures. Hence, more comprehensive and rigorous oversight (or TPO) may be provided for third party relationships that involve more critical activities (e.g., significant bank functions such as payments, clearing, settlements, and custody, significant shared services such as IT, or activities that could cause a bank to face significant risk if the third party fails to meet expectations, could have significant customer impacts, require significant investment in resources to implement the third-party relationship and manage the risk, or could have a major impact on bank operations if the bank has to find an alternate third party).
An effective third-party risk management TPO process should follow a continuous life cycle for all relationships, and it may incorporate the following phases: (1) planning which includes developing a plan to manage the relationship; (2) due diligence and third-party selection which may include conducting a review of a potential third party before signing a contract so as to understand and control the risks posed by the relationship; (3) contract negotiation which may include developing a contract that clearly defines expectations and responsibilities of the third party; (4) ongoing monitoring including monitoring of the third-party relationship once the contract is in place; and (5) termination which may include developing a contingency plan to ensure the bank can transition the activities to another third party or to in-house sources or discontinue the activities. Throughout the lifecycle, the bank should also perform oversight and accountability, documentation and reporting, and independent reviews.
Presently, in the United States and worldwide, regulators are concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The contracting entities (i.e., banks in this example) attempt to gather large amounts of third party management information using third-party or vendor questionnaires (e.g., spreadsheets). The current process was created over a number of years, has not served to most effectively assess and mitigate risk, and has not kept pace with technological innovations such that it is inefficient and costly for all parties involved as each bank or even each TPO function or each segment of the third party management lifecycle (such as planning, due diligence and third-party selection, and ongoing monitoring) will send one or more questionnaires to each of its potential and existing third parties. As a result, with the current bilateral model, a third party is forced to complete multiple questionnaires that include the same or similar questions and which include the same or similar answers. Often, the bank will have difficulty determining who to contact for completion of the third party questionnaire and, typically, the bank may only have a single contact at a third party rather than having a contact for a particular portion of the third party providing a desired service or product. This leads to delayed responses to the bank and delays the critical aspect of timely third party ongoing monitoring that a bank performs.
In existing third party risk management systems, there is a significant duplication of effort for both the bank and the third party. Many third parties have multiple business entities, subsidiaries, and products (collectively “business units”), which can make it difficult for banks to track their third parties, and the business units may provide third party management information separately to the bank, which can cause inefficiencies and confusion during risk management processes and TPO. Tracking large numbers of third parties (e.g., many banks will have hundreds to tens of thousands of third parties, and this number is further multiplied by the number of products and services provided by the third party) to collect and process third party management information has proven to be very difficult if not nearly impossible without the availability of an automated system. From the third parties' point of view, third parties have become increasingly challenged and frustrated as they are required to provide similar, if not the same, information to their many customers. Their requests for information and resulting costs to provide such have skyrocketed and have actually served to impede their business and revenue recognition. Increasing demand for information of a much larger scope is leading to longer response times from the third parties and, in some cases, to substandard responses from the third parties, and this may actually lead to increased or undetected risks associated with third-party relationships rather than to high-quality responses and decreased risks.
Hence, there remains a need for improved systems and methods of managing third parties. Preferably, such improved methods and systems would provide an automated way to identify third parties and their business units and gather third party risk management information (e.g., answers to third party questionnaires or requests for external audit documentation) and would also facilitate communications between contracting entities (e.g., banks and other business or non-business entities that contract with third parties for services and/or products) and third parties.